Q&A with Cyber Risk Aware: Why cyber risk is human risk

We speak to Stephen Burke, Founder and CEO at Cyber Risk Aware about the challenges faced by organisations and how they can protect themselves from cyber crime by minimising the human risk.

Shares

With 95 per cent of incidents caused by human error, it’s essential to educate users and make organisations aware of how to protect themselves from cyber crime by minimising the human ‘cyber risk’ and what practical measures they should be implementing. Cyber Risk Aware is doing just that. It assists companies in creating a human firewall and last line of defence against cyber criminals by providing user security awareness training and assessment content which actively reduces the risk of human error.

We speak to Stephen Burke, Founder and CEO at Cyber Risk Aware about the challenges faced by organisations and how they can protect themselves from cyber crime by minimising the human risk.

What do you see as the biggest challenges for CISO’s implementing a culture of cyber security awareness?

Organisations are aware of the importance of cyber security, but can only ever be as strong as their weakest link. Research from both IBM and CompTIA has highlighted that human error is a big contributory factor when it comes to data breaches.

The stark reality is that cybercriminals are having massive success, affecting companies and economies worldwide. This is predominantly due to people clicking on links and opening malicious email attachments, visiting websites they shouldn’t be, downloading dodgy software and using the same password across multiple accounts, all of which results in data breaches and stolen identities. If employees were more aware of the dangers, they could easily become the most powerful defence a company has.

How are cyber criminals increasingly exploiting the ‘human risk’? What about human nature?

It’s no secret that cybercriminals are heavily commercialising their opportunities, actively targeting people and not systems. The reason for this is that they see people as the weak link in the network because we are curious by nature, often busy, and most tend not to think bad things of other people, resulting in an over-trusting mindset when it comes to cyber security.

Hackers are great at exploiting this human nature, using social engineering tactics to gain their victims’ trust and encouraging them to click on malicious links designed to harvest their credentials. People are trusting and if they believe an email comes from a trusted source, they won’t hesitate to open and click on an email. For example, CEO fraud exploits human nature with a vengeance; although most users now know not to click on links in emails from addresses that they don't recognise, many are still willing to take the identity of a sender at face value.

As an ex-CISO yourself, what are the main security lapses that you’ve seen employees make?

During my time as a CISO I witnessed multiple security lapses from employees, the main one being people still falling for phishing emails. For all the sophistication that you hear around cyber security, phishing really isn’t comparable to attacks such as nation-state hacking. Cyber attackers prey on an employee’s curiosity and their failure to take a few seconds to analyse an email and understand its context.

It's also the case that senior executives are prone to security lapses. For example, they tend to save data locally on their machines which they would then take travelling. However, they often fail to copy that data to a network once they return, so that it can be easily restored.

Cyber criminals know who senior executives are and how to target them. For example, there was an instance where a senior executive was receiving emails they thought were from a family member and then clicked on a link. This ultimately revoked all access to their personal accounts which had to be quarantined once it had connected to the corporate network.

Senior executives require a tailored approach to training. Organisations need to help raise awareness across the whole organisation and every level of the hierarchy to understand how criminals operate, how they target individuals, what they’re after and what they do once they get it.

A recent report from Accenture found that 55 per cent of workers in the UK can’t remember having been given cybersecurity training – what are your views on this?

In the past, organisations have made employees carry out annual compliance training which is merely a tick-the-box exercise where the courses are crammed with information without being thoughtfully planned out. People can’t retain what they’ve been taught after eight minutes so an hour-long course is an ineffective form of training, making it a waste of time for both the employee and the organisation.

These annual compliance training courses are also very costly to the organisation in terms of productivity. Previous courses have been known to take around an hour and a half in one go, meaning an employee is taken away from doing their job for this long period of time. Cyber security awareness training needs to be delivered in bite-size chunks, engaging and tailored to each department or industry.

What would your advice be to an organisation looking to get started with a cyber awareness programme?

It goes without saying that technical defences such as email filtering, gateways and antivirus are required in this digital age. However, with an ever-increasing number of malicious emails getting through these defences, companies need to invest in their human firewalls to protect their networks.

In order to effectively build a human firewall, organisations need to firstly assess the level of human cyber risk it has by taking an initial baseline of how phish prone the business is by user, department, office or location. This can be achieved by conducting phishing simulations and cyber knowledge assessment quizzes so that organisations can then identify where the risks lie and develop a plan of action to mitigate these risks.For those that are identified as not being aware of the risks, organisations can provide them with targeted awareness training content that will reinforce how they can defend themselves and their employer.

With security awareness training, employees learn how to follow best practice, as well as being empowered to report anything suspicious. As a result, employees can become a highly effective network of human sensors who will protect themselves both in and out of the workplace, and increase the likelihood of stopping incidents from occurring in the first place. It is important to make reporting effortless for staff by having a button available in each email that they simply click and the security team are notified immediately.

How do you see cyber security training evolving in the future?

Security awareness comes at an expense in both cost and delivery as organisations are required to take employees away from their day jobs. But what if it was possible to get to a place where you only provide a training course based on the risky behaviour of an individual? With time being of the essence in business, there is no sense making an employee complete a course on passwords when they’re already aware of how to safely create and store strong passwords.

Looking forward, network monitoring can be integrated into cyber security awareness solutions and used to send individuals tailored training courses in response to risky activity they've undertaken on the network. ‘Just in time' training or real-time intervention awareness, can detect risky behaviour and flag required training to an employee instantly. This makes the bite-size course fully contextualised and in real-time, so an employee can see what they’ve done wrong and then how to avoid this risky activity in the future. This is a much more effective way of raising awareness and comes at a lower cost due to the courses being specifically targeted and streamlined to each individual’s needs.